How VMware IT Leveraged the VMware Service-Defined Firewall

#vmworld

SAI1087BU

How VMware IT Leveragedthe VMware Service-Defined Firewall

Swapnil Hendre, VMware, Inc.Sukhjit Singh, VMware, Inc.

#SAI1087BU

VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc.

Disclaimer

This presentation may contain product features or functionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

2

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc.

Agenda

3

Why is Micro-Segmentation Necessary ?

Application Discovery Process

Micro-Segmentation Use Case Review

Recommendations (Dos and Don’ts)

Q & A


©2019 VMware, Inc. 4

Traditional Single Application – How Threats Spread ?

WEB WEB WEB WEB

APP APP APP APP

DB DB

Load Balancer

Load Balancer

Perimeter Firewall

Internal Firewall



WEB WEB WEB WEB

APP APP APP APP

DB DB

Load Balancer

Perimeter Firewall

Internal Firewall

Zero-Trust Using NSX Micro-Segmentation

Load Balancer



Where We Started

Planning EvaluationApplication Discovery

Global Deployment

Define success criteria

Define test cases

Application Selection- Simple- Complex

Execute POCs

Functional Testing

Publish Results

Production Pilot

Log Insight

vRealize Network Insight

Finalize reference architecture

Operationalization

Phased Global Deployment



vRealize Log Insight

vRealize Network Insight

vSphere Distributed Switch

SYSLOG collector

Log InsightCompute Cluster

Flow Monitoring(NetFlow)

SYSLOG

Application Discovery Using – Flow Monitoring

VM VM VM VM

VM VM VM VM

VM VM VM VM

VM VM VM VM

VM VM VM VM


8©2019 VMware, Inc.

vRealize Network InsightMicro-Segmentation Planning



vRealize Network InsightTransformative Operations for Software-Defined Data Center and Cloud

3600 Network Visibility & Analytics

Best Practices, Health and Availability of NSX

Deployment

Security (Micro-segmentation) Modeling & Planning, Audit &

Compliance

Across Physical, Virtual and Cloud

9

CloudVMworld 2019 Content: Not for publication or distribution


DEMO: vRealize Network Insight



Micro-Segmentation Use Case Review



Micro-Segmentation : Use Case Reviews

Securing VDI Using NSX

Securing SAP Using NSX

Securing VMware Cloud On AWS

Securing Horizon Desktop On Azure



Securing VMware Cloud on AWS Using NSX



Native AWS ServicesVMware CloudTM on AWS

Powered by VMware Cloud Foundation

vSphereincl. VIC

vSAN NSX

Operational Management

Customer Data Center AWS Global Infrastructure

vRealize Suite, ISV ecosystem

AWS Global Infrastructure

vCentervCenter

VMware Cloud on AWS Overview



VMware Cloud On AWS – Securing Workload Using NSX-T

NSX-T Firewall

NSX-T Firewall

Core-services

Multi-factor authentication Load Balancers

Puppet

Security Services

Active Directory

MFA MFA

Pool 1 Pool 2

Core services SDDC

DNS

OpenLDAP

NTP

SMTP

Application 1

Application 2

Application 3

Direct Connect



DEMO: Public Cloud Security Using NSX-T (VMware Cloud On AWS)



Securing Horizon Desktop On Azure Using NSX-Cloud



Securing Horizon Desktop On AzureMicro-Segmentation Using NSX Cloud

COLO

Gateway

On-premises network

ExpressRoute Circuit

DeploymentEngine

(short lived)

Public IP

Unified Access Gateway

DMZ


Azure Load Balancer

Base Image(s)

Active Directory

WS1Connector

(optional)

RDS License Server(s)

Node Marketplace

RDS Farm(s)

VDI VDI

Horizon Desktop On Azure



Securing Horizon Desktop On AzureMicro-Segmentation Using NSX Cloud

Gateway

On-premises networkDeployment

Engine (short lived)

Public IP


DMZ


Azure Load Balancer

Base Image(s)

Active Directory

WS1Connector

(optional)

RDS License Server(s)

Node Marketplace

RDS Farm(s)

Horizon Desktop On Azure

COLO

ExpressRoute Circuit

VDIVDI



Securing VDI Using NSX Micro-Segmentation



Secure VDI Infrastructure Using NSX

● Secure communication between Virtual Desktops

Requirement

Challenges prior to NSX

● Could not create firewall rules without hair pinning● Could not create dynamic firewall rules● Complex firewall rules for Layer 2 traffic

Centralized VirtualDesktops

Desktop

VMWAREVIEW

MANAGER

Active Directory

VMware vSphere

Thin Client

NSX Distributed

Firewall



Secure VDI Infrastructure Using NSX

Centralized Virtual Desktops

Desktop

VMWAREVIEW

MANAGER

Active Directory

VMware vSphere

Thin Client

NSX Distributed

Firewall

● Deploy NSX-DFW and Implement rule to block traffic between resource group

Solution

VDI Resource Group

Firewall Rule

FWR_VDI_Block

SG_VDI_DYN

SG_VDI_DYN

Source

Destination Action

AnyService



Securing SAP Using NSX



User Experience

NWBC

Desktop/VIEW

BI Reporting

App Server

Oracle DB

Business Object

Reporting

Application Lifecycle Management Tools

Netweaver

Oracle DB

Solution

Manager

Netweaver

Oracle DB

Netweaver

Oracle DB

Landscape

Virtualization

Management

System

Landscape

Directory

Training

Data Integration / Delivery

Netweaver

Oracle DB

SAP Landscape

Transformation

Governance, Risk, & Compliance

Netweaver

HANA DB

GRC

Enterprise Applications

Netweaver

Oracle DB

Business Suite

Netweaver

HANA DB

Master Data

Governance Native HANA

App Server

Business Object

DS, IS, IPS, DQM

Netweaver

Oracle DB

Process

Orchestration

Fiori Launchpad

Smartphone/Tablet

HANA DB

App Server

Oracle DB

Vertex O Series

App Server

Oracle DB

uPerform

Productivity Pak

SAPGUI

Desktop/VIEW

BO/BI Tools

Desktop/VIEW

Oracle DB

Netweaver

Oracle DB

Netweaver

Gateway

Content Management

App Server

MaxDB

Content Server

Document Management

Netweaver

Oracle DB

Adobe Document

Services

Micro-Segmentation For SAP Using NSX – Logical Architecture



App

ERP GRCBI PO MDGSBO

SAP Without Micro-Segmentation

Perimeterfirewall

Insiderouter/firewall

Services

AD NTP DNS BKP MON SMTP

DB



SAP With Micro-Segmentation Using NSX Distributed Firewalls

● Each VM can now be its own perimeter

● Policies align with logical groups

● Unauthorized traffic is blocked

App

Services

DB

Perimeterfirewall

AD NTP DNS BKP

ERP GRCBI PO MDGSBO

MON

Insidefirewall

SMTP



Master Nested Security Group

Nested Security Groups

Security Group

Group Members

NSX Security Group Topology For SAP

SG-SAP-ALL

SG1-ERP-APP-DYN SG2-PO-APP-DYN SG16-MDG-APP-DYN SG1-ERP-DB-DYN SG2-PO-DB-DYN SG16-MDG-DB-DYN

SG-SAP-APP SG-SAP-DB

ERP-APP-1 ERP-APP-2 PO-APP-1 PO-APP-2 MDG-APP-1 MDG-APP-2 ERP-DB-1 ERP-DB-2 PO-DB-1 PO-DB-2 MDG-DB-1 MDG-DB-2



RecommendationsDos and Don’ts



Recommendations Micro-Segmentation Deployment

PLANNING

• Application DiscoveryvRealize Network InsightvRealize Log Insight

• Phased Deployment



Assess current environment

1

Network Assessment

Security Group Creation

2

Create Security Groups For All Applications

Identify Application Boundaries

3

Discover services, applications and their boundaries!

Get Recommended Firewall Rules

4

Application Discovery Recommendations from vRNI

Repeat, Monitor, Troubleshoot

5

Deploy micro-segmentation starting with most critical apps first!

5 Step ProcessRecommendations Micro-Segmentation Deployment



Recommendations Micro-Segmentation Deployment

• Alerts / Notifications

33

• Roles and Responsibilities

• Day 2 Support

• Training

PLANNING

• Application DiscoveryvRealize Network InsightvRealize Log Insight

• Phased Deployment

PRODUCTION DEPLOYMENT

• Greenfield Deployment• Brownfield Deployment

FIREWALL POLICY MODEL

• Application BasedDynamicAdvanced Security Services

• Infrastructure BasedGlobal PoliciesNetwork Based

OPERATIONALIZATION



VMware IT’s Micro-Segmentation Journey



Zero-Trust Implementation – Micro-Segmentation Using NSX

VMware IT’s Journey

Start of Journey

Production Pilot

Greenfield

Deployments

POC – Securing Using NSX-T

Brownfield

Deployments

Operationalization PROD Pilots

Using NSX-T

Public Cloud

Security

Mar 2015 July

2015

July 2017

Jan

2019Nov 2015

June 2019

July2019

Mar 2016

NSX Intelligence

Oct

2019



ResourcesHow to get started

Design Guides Demos

Take a Hands-on Lab Join VMUG, VMware Communities (VMTN)

LEARN TRY

nsx.techzone.vmware.com

CONNECTTRY

@VMwareNSX#runNSXVMworld 2019 Content: Not for publication or distribution

How VMware IT Leveraged the VMware Service-Defined Firewall

Documents

Transcript of How VMware IT Leveraged the VMware Service-Defined Firewall